Supply and Demand (for security)

2018 was the year that raised the alarm in earnest about potential vulnerabilities in the supply chain for enterprise computing systems.

But with such diverse networks and widespread dependence on third parties, how can organizations expect to plug all potential leaks? Karen Epper Hoffman reports.

It sounds like the stuff of a modern-day John LeCarre novel: The Chinese government asserting influence into the operations of hardware developer Super Micro Computer Inc. to spy on the enterprises to which Supermicro supplies computer chips.

First detailed in an early October Bloomberg Businessweek article, this story was quickly denied and recanted by several high-profile industry experts, including some of the 17 sources cited in the initial piece. However, this tale of seeming cyberspy intrigue along with similar stories in recent years have shown a spotlight on the vulnerabilities of the enterprise supply chain.

“This story is an extreme use case, but it justifies the need for governments [and companies] to do extensive and thorough assessments of their vendors and hardware,” says Itay Kozuch, director of threat research for IntSights Cyber Intelligence. “While it may seem inefficient, the one time in a million assessments that you catch something is worth the cost.”

A potential problem at Supermicro raised alarms because the company manufactures computer hardware used by business giants like Amazon and Apple, as well as the U.S. government, including the Department of Defense and the Central Intelligence Agency.

...the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

Jacob Ansari, senior manager for Schellman & Company LLC, points out the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

The supposed Supermicro compromise is not an isolated event, he adds, since there have long been well-documented supply chain attacks in point-of-sale software, where the attackers had compromised a third-party component, thus backdooring the POS before it even shipped to the merchant.

Matt Wilson, chief information security advisor at BTB Security, believes the Supermicro story highlights a supply chain risk which is “well-known in government circles, but relatively unknown to most [private-sector] organizations.” On the heels of this and similar cyberspying stories, Wilson and his team have seen “a slight uptick in interest from some of our enterprise customers, as well as smaller organizations that have more mature information security programs.”